Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- doc/primary-expression.txt | 4 ++++ include/linux/netfilter/nf_tables.h | 1 + src/parser_bison.y | 2 ++ src/parser_json.c | 1 + src/rt.c | 5 +++++ src/scanner.l | 1 + tests/py/any/rt.t | 2 ++ tests/py/any/rt.t.json | 30 ++++++++++++++++++++++++++++++ tests/py/any/rt.t.payload | 10 ++++++++++ 9 files changed, 56 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 18b4c52f367d..5024a11faf39 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -259,6 +259,9 @@ ipv4_addr/ipv6_addr |mtu| TCP maximum segment size of route | integer (16 bit) +|ipsec| +route via ipsec tunnel or transport | +boolean |================================= .Routing expression specific types @@ -273,6 +276,7 @@ Routing Realm (32 bit number). Can be specified numerically or as symbolic name -------------------------- # IP family independent rt expression filter output rt classid 10 +filter output rt ipsec missing # IP family dependent rt expressions ip filter output rt nexthop 192.168.0.1 diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 143ebe287a1c..1a63bd1e32f4 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -832,6 +832,7 @@ enum nft_rt_keys { NFT_RT_NEXTHOP4, NFT_RT_NEXTHOP6, NFT_RT_TCPMSS, + NFT_RT_XFRM, __NFT_RT_MAX }; #define NFT_RT_MAX (__NFT_RT_MAX - 1) diff --git a/src/parser_bison.y b/src/parser_bison.y index 85830d880b05..32d61b3b6723 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -510,6 +510,7 @@ int nft_lex(void *, void *, void *); %token EXTHDR "exthdr" +%token IPSEC "ipsec" %type <string> identifier type_identifier string comment_spec %destructor { xfree($$); } identifier type_identifier string comment_spec @@ -3830,6 +3831,7 @@ rt_expr : RT rt_key rt_key : CLASSID { $$ = NFT_RT_CLASSID; } | NEXTHOP { $$ = NFT_RT_NEXTHOP4; } | MTU { $$ = NFT_RT_TCPMSS; } + | IPSEC { $$ = NFT_RT_XFRM; } ; ct_expr : CT ct_key diff --git a/src/parser_json.c b/src/parser_json.c index 514bc46bba1b..3f0ab0ac1993 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -621,6 +621,7 @@ static struct expr *json_parse_rt_expr(struct json_ctx *ctx, { "classid", NFT_RT_CLASSID }, { "nexthop", NFT_RT_NEXTHOP4 }, { "mtu", NFT_RT_TCPMSS }, + { "ipsec", NFT_RT_XFRM }, }; unsigned int i, familyval = NFPROTO_UNSPEC; const char *key, *family = NULL; diff --git a/src/rt.c b/src/rt.c index caa4947d048a..b63284fbcd9a 100644 --- a/src/rt.c +++ b/src/rt.c @@ -79,6 +79,11 @@ const struct rt_template rt_templates[] = { 2 * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN, false), + [NFT_RT_XFRM] = RT_TEMPLATE("ipsec", + &boolean_type, + BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN, + false), }; static void rt_expr_print(const struct expr *expr, struct output_ctx *octx) diff --git a/src/scanner.l b/src/scanner.l index 2f45e05bfe81..26e63b9bcc0c 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -554,6 +554,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "exthdr" { return EXTHDR; } +"ipsec" { return IPSEC; } {addrstring} { yylval->string = xstrdup(yytext); return STRING; diff --git a/tests/py/any/rt.t b/tests/py/any/rt.t index 4f65eaad3917..3ce57e05b5f0 100644 --- a/tests/py/any/rt.t +++ b/tests/py/any/rt.t @@ -5,3 +5,5 @@ *inet;test-inet;output rt classid "cosmos";ok +rt ipsec exists;ok +rt ipsec missing;ok diff --git a/tests/py/any/rt.t.json b/tests/py/any/rt.t.json index 955d12a3d891..2ca6fe013925 100644 --- a/tests/py/any/rt.t.json +++ b/tests/py/any/rt.t.json @@ -13,3 +13,33 @@ } ] +# rt ipsec exists +[ + { + "match": { + "left": { + "rt": { + "key": "ipsec" + } + }, + "op": "==", + "right": true + } + } +] + +# rt ipsec missing +[ + { + "match": { + "left": { + "rt": { + "key": "ipsec" + } + }, + "op": "==", + "right": false + } + } +] + diff --git a/tests/py/any/rt.t.payload b/tests/py/any/rt.t.payload index 0e354fa020b2..e1ecb2860ed0 100644 --- a/tests/py/any/rt.t.payload +++ b/tests/py/any/rt.t.payload @@ -3,3 +3,13 @@ ip test-ip4 input [ rt load classid => reg 1 ] [ cmp eq reg 1 0x00000000 ] +# rt ipsec exists +ip test-ip4 input + [ rt load ipsec => reg 1 ] + [ cmp eq reg 1 0x00000001 ] + +# rt ipsec missing +ip test-ip4 input + [ rt load ipsec => reg 1 ] + [ cmp eq reg 1 0x00000000 ] + -- 2.16.4